Sunday, November 9, 2014

Cellphone supercookies

Verizon and AT&T are adding ‘supercookies’ to your cellphone browsing.

Cookies do not come from Keebler. They are files in your browser that a website asks you to hold and give back to it when it asks for it. When they were conceived soon after the birth of the Web they were an innocuous means for a web server to remember what you, among hundreds of people who may be browsing its pages, are doing. Since then clever programmers have found valuable and sinister ways to use cookies. In response users and browsers took steps that block not just bad, but good cookies and the arms race continues.

Thus is born the supercookie which does not reside in the browser. Generally it is some form of fingerprinting of specific characteristics of your computer. It is easy for a web server to ask the browser to report plug-ins and fonts it knows about and also CPU capability and screen resolution, among other features. It will use these statistics to better customize the web page, graphics, and video it sends you. A half-dozen pieces of information uniquely identifies me out of over 4.5 million computers. The website can then collect this information in a database correlated to personal facts it already knows about.

Recently the popular press has picked up on another type of supercookie being fed us by the cell carriers. Verizon has acknowledged that they’ve added this “feature” since 2012 and it has also shown up on tests of AT&T phones. The technique involves the fact that your cell carrier, like any ISP, is a man in the middle for everything you send out on their network. In this case, they are adding a text identifier to every HTTP transmission you send over cellular data – it is not included if you connect via WiFi.

Verizon’s goal was to allow websites,, for a fee to send them your code and receive some of the plethora of personal data Verizon knows about you. This could include details such as your demographics, phone number, and which store you just walked into at the mall. Unfortunately for Verizon, because the ID is included whether the website subscribes or not, the website could just as easily build their own dossier on that ID. The ID is still attached to your browsing even if you opt out of allowing Verizon to sell your data.

The only way to block this identifier is to make your communications on the cellular network all through a secure channel. They cannot attach the ID to HTTPS browsing. Fortunately major social networking sites such as Facebook, Google, and Twitter use HTTPS all the time. For all the other websites you might visit, your only recourse is to install and use a VPN.

Although Verizon is the only carrier to admit that they include and are monetizing this ID; the technology is available to every cellular company, ISP, or public access site.

Steve Gibson’s Security Now
·         The entire podcast:
·         His show notes and other text:
Wired Magazine describes the process
My articles on cookies
EFF fingerprint test
Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at
(cc) 2014- Bill Barnes - Disclaimer - Home Page - Blogs Home

No comments: